The crontab program is the program used to install, deinstall, or list the tables used to drive the cron daemon. Users can have their own crontab files that set up the time and frequency of execution, as well as the command or script to execute.

The gpasswd command administers the /etc/group file and /etc/gshadow file if compiled with SHADOWGRP defined. The gpasswd command allows system administrators to designate group administrators for a particular group. Refer to the gpasswd man page for more detailed information.

The login program is used when signing on to a system. If root is trying to log in, the program makes sure that the login attempt is being made from a secure terminal listed in /etc/securetty. The login program prompts for the password and turns off the terminal echo in order to prevent the password from being displayed as the user types it. The login program then verifies the password for the account; although three attempts are allowed before login dies, the response becomes slower after each failed attempt. Once the password is successfully verified, various password aging restrictions, which are set in the /etc/login.defs file, are checked. If the password age is satisfactory, then the program sets the user ID and group ID of the process, changes the current directory to the user’s home directory, and executes a shell specified in the /etc/passwd file. Refer to the login man page for more detailed information.

The passwd command updates a user’s authentication tokens, and is configured to work through the PAM API. It then configures itself as a password service with PAM, and uses configured password modules to authenticate and then update a user’s password. The passwd command turns off terminal echo while the user is typing the old as well as the new password, in order to prevent displaying the password typed by the user. Refer to the passwd man page for more detailed information.

The su command allows a user to run a shell with substitute user and group IDs. It changes the effective user and group IDs to those of the new user. Refer to the su man page for more detailed information.

The following are trusted programs that do not fit into the above 2 categories.

The alternative Linux form of getty, agetty opens a tty port, prompts for a login name, and invokes the /bin/login command. The /sbin/init program invokes it when the system becomes available in a multi-user mode.

The amtu program is a special tool provided to test features of the underlying hardware that the TSF depends on. The test tool runs on all hardware architectures that are targets of evaluation and reports problems with any underlying functionalities.

In addition to setting the audit filter rules and watches on file system objects, auditctl can be used to control the audit subsystem behavior in the kernel when auditd is running. Only an administrative user is allowed to use this command.

The ausearch command finds audit records based on different criteria from the audit log. Only an administrative user is allowed to use this command.

aureport produces reports of the audit system logs.

The init program is the first program to run after the kernel starts running. It is the parent of all processes, and its primary role is to create processes from a script stored in the /etc/inittab file. This file usually has entries that cause init to spawn getty on each line that users can log in.

The chsh command allows users to change their login shells. If a shell is not given on the command line, chsh prompts for one.

27

Page 39
Image 39
IBM 10 SP1 EAL4 manual